Prerequisites

This content is intended for penetration testers, ethical hackers, and IT security professionals with basic Unix/Linux operating system knowledge. A baseline understanding of core information security concepts is expected. To get the most out of this material, it is recommended you review the following core topics first:

• The 7 layers of the OSI model
• The TCP/IP protocol suite
• The TCP three-way handshake
• Common network protocols and port numbers
• Wireless fundamentals (802.11 a/b/g/n/ac, WEP, WPA2)
• Basic Linux commands (ls, cd, clear, etc.)

Installing and Configuring Kali Linux 2018.2

Kali Linux is the de facto standard operating system for professional penetration testing, packed with hundreds of preconfigured security tools. This section covers installation, configuration, and core functionality of Kali Linux 2018.2.

Hardware and Software Requirements

For a virtual machine installation of Kali Linux paired with a test lab, you will need a desktop or laptop with at least 6GB of RAM and 100GB of free hard disk space. For portable installations on USB or SD/micro-SD cards, a minimum of 8GB storage is required, with 16GB or more recommended. You will also need to download the following before starting:

• VirtualBox (https://www.virtualbox.org/wiki/Downloads)
• VMware Workstation Player (https://my.vmware.com/en/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/14_0)
• Kali Linux (https://www.kali.org/downloads/)

Kali Linux Tool Categories

Kali Linux 2018.2 includes dozens of updates and improvements over previous releases, including:

• Improved support for AMD GPUs
• Spectre and Meltdown vulnerability patches for x86 and x86_64 architectures
• Updated Metasploit Framework (version 4.16.34-0kali2 and newer) with easier access
• Updated tools including Bloodhound v1.51, Reaver 1.6.4, PixieWPS 1.42, BurpSuite 1.7.32, and Hashcat 4.0
• Improvements to Wpscan, Openvas, Xplico, Responder, and Dradis

All penetration testing tools in Kali are grouped into the following core categories:

• Information Gathering: Tools for collecting data about DNS, network topology, operating systems, routing, SSL/TLS, SMB, VPN, VoIP, SNMP, email addresses, and more.
• Vulnerability Assessment: Tools for general vulnerability scanning, Cisco network assessment, database vulnerability testing, and fuzzing.
• Web Application Testing: Tools for scanning content management systems, database exploitation, web fuzzing, proxying, crawling, and vulnerability scanning.
• Database Assessment: Specialized tools for testing the security of SQL and other common database systems.
• Password Attacks: Tools for both online and offline password cracking and brute force attacks.
• Wireless Attacks: Tools for testing Bluetooth, RFID/NFC, and Wi-Fi network security.
• Exploitation: Tools for leveraging vulnerabilities discovered on target systems, including tools for social engineering and exploit research.
• Sniffing & Spoofing: Tools for capturing network and web traffic, plus network spoofing utilities like Ettercap and Yersinia.
• Post-Exploitation: Tools for maintaining access to compromised targets, setting up backdoors, and creating network tunnels. Root-level access is usually required before using tools in this category.
• Digital Forensics: Tools for evidence acquisition, data recovery, incident response, and file carving.
• Reporting: Tools for documenting penetration testing processes and results.
• Social Engineering: Tools including Maltego and the Social Engineering Toolkit (SET), commonly used during reconnaissance and exploitation phases.
• System Services: Preconfigured services useful during testing, including Apache, MySQL, SSH, and Metasploit RPC.

To simplify access for new users, Kali includes a "Top 10 Security Tools" category with the most commonly used utilities: aircrack-ng, burp-suite, hydra, john, maltego, metasploit, nmap, sqlmap, wireshark, and zaproxy. Additional categories outside of core penetration testing include reverse engineering, stress testing, hardware hacking, and advanced forensics. One of the most popular forensic tools included is Volatility, a command-line utility for analyzing memory dumps, plus GUI tools like Autopsy, Guymager, and the updated Xplico.

Downloading Kali Linux

You can download official Kali Linux images from the project website, with options for i386, x86_64, and armhf architectures. Pre-built images for VirtualBox, VMware, and Hyper-V are available from Offensive Security at https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-hyperv-image-download/. Custom ARM images for devices like Raspberry Pi and Chromebooks are available at https://www.offensive-security.com/kali-linux-arm-images/, and Kali NetHunter v3.0 for mobile devices can be downloaded from the Offensive Security website.

After downloading your image, always verify the SHA-256 checksum to ensure the file was not corrupted or tampered with. On Linux/Unix systems, use the sha256sum command:

sha256sum kali-linux-2018.2-amd64.iso

Compare the output hash to the value provided on the download page. For Windows users, a free tool like MD5 & SHA Checksum Utility can be used to verify the hash. If the hashes do not match, re-download the image from an official mirror.

Deployment Options

You can run Kali Linux in one of three common configurations:

1. Live DVD boot
2. Full installation to a local hard drive
3. Portable installation on a USB flash drive

Live DVD Mode

Burning the Kali ISO to a DVD and booting from it is the fastest way to test Kali without making changes to your system. The main downside is that all configuration changes and files are lost when you reboot, and performance is slower than a hard drive installation. This mode is only recommended for testing.

Hard Drive Installation

You can install Kali directly to a physical machine or as a virtual machine. For testing and learning, a virtual machine installation is almost always preferred.

For physical installations, ensure you are using an empty hard drive or have backed up all existing data before starting. If you want to dual-boot Kali alongside Windows, follow the official guide at https://docs.kali.org/installation/dual-boot-kali-with-windows. Tools like GParted Live or SystemRescueCD can be used to partition your drive safely before installation.

The installation steps for physical media are:

1. Boot from the Kali Live DVD and select the graphical install option
2. Select your language, location, and keyboard layout
3. Set the system hostname (leave the default kali for beginners) and leave the domain name blank
4. Set a strong password for the root user
5. Select your time zone
6. For partitioning, select Guided - use entire disk for a simple installation if you are using an empty drive. For dual-boot, select manual partitioning.
7. Select whether to put all files on a single partition, or create a separate /home partition (recommended if you want to preserve your files during reinstallation).
8. Confirm the partitioning changes and write them to disk
9. Decline the network mirror option for beginners, then proceed with installation
10. When prompted, install GRUB to the master boot record (MBR) unless you already have another boot loader installed
11. Once installation completes, reboot and log in with the root credentials you created. The default root password for live images is toor if you did not set a custom one during installation.

Virtual Machine Installation

To install Kali as a virtual machine in VirtualBox, follow these steps:

1. Click New to create a new virtual machine
2. Name your VM Kali 2018, select Linux as the type and Debian (64-bit) as the version, then click Next
3. Allocate at least 2048MB of RAM (4GB+ is recommended), then click Next
4. Select Create a new virtual hard disk now, then click Create
5. Select VDI as the hard disk type, then select Dynamically allocated
6. Allocate at least 32GB of storage, then click Create
7. Select your new VM and click Start, then navigate to your downloaded Kali ISO and start the installation. Follow the same installation steps outlined for physical installations.

You can also use a pre-built Kali VM image from Offensive Security, which eliminates manual installation steps. After downloading and extracting the pre-built image, select Use an existing virtual hard disk file when creating your VM, then select the provided .vmdk file. The default credentials for pre-built images are username root and password toor. For penetration testing, change the default network type from NAT to Bridged, and always change the default root password.

A key benefit of virtual machines is the ability to pause your work and move the VM between host machines. To export a VM, go to File > Export Appliance, select your VM, choose a save location, and export. To import on a new host, go to File > Import Appliance and follow the prompts.

Portable USB Installation

You can create a portable Kali installation that runs on any computer that supports USB booting. This is the preferred method for many Kali developers. On Windows, the easiest tool to create a bootable Kali USB is Rufus (https://rufus.akeo.ie/). On Linux, you can use the dd command:

dd if=kali-linux-2018.2-amd64.iso of=/dev/sdb bs=512k

Replace /dev/sdb with the path to your USB drive. You will need at least a 16GB USB 3.0 drive for best performance. To add persistent storage that saves your changes between reboots, follow the official guide at https://docs.kali.org/installation/kali-linux-live-usb-install.

Post-Installation Configuration

VirtualBox Guest Additions

After installing Kali in VirtualBox, install the VirtualBox Guest Additions for improved performance, resizable screens, shared clipboard, and shared folders:

1. Go to Devices > Insert Guest Additions CD Image
2. Open a terminal and navigate to the mounted CDROM: cd /media/cdrom0
3. Run the installer script: sh ./VBoxLinuxAdditions.run
4. After installation completes, eject the CD image and reboot your VM with reboot

Network Configuration

By default, pre-built Kali VMs use NAT for networking. This allows Kali to access the internet through your host, but does not allow external devices to connect to the Kali VM. For penetration testing, change the network adapter to Bridged mode:

1. Shut down your VM, open VirtualBox Manager, select your Kali VM, and click Settings > Network
2. Change Attached to from NAT to Bridged Adapter, then select the host network interface connected to your test network.

To set a static IP address, edit /etc/network/interfaces and add the following configuration, adjusting the values to match your network:

auto eth0
iface eth0 inet static
address 192.168.1.15
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

For wireless connections when running Kali as a VM, you will need an external USB wireless adapter. Plug in the adapter, go to Devices > USB Devices and select your adapter to pass it through to the VM. Verify it is detected with:

ifconfig

You should see a wlan0 or wlan1 interface listed. You can then connect to any available wireless network via the GUI network manager.

Updating Kali Linux

Always update Kali after installation to get the latest security patches and tool updates. First, configure your package sources by editing /etc/apt/sources.list:

leafpad /etc/apt/sources.list

Add the official Kali rolling repository:

deb http://http.kali.org/kali kali-rolling main contrib non-free
# For source packages, uncomment the line below
# deb-src http://http.kali.org/kali kali-rolling main contrib non-free

Next, update the package index:

apt update

You can upgrade all installed packages with one of two commands:

• apt upgrade: Upgrades all existing packages to their latest version, leaves unchanged any packages that have dependency conflicts.
• apt full-upgrade: Upgrades the entire distribution, resolves dependencies by adding or removing packages as needed.

Running Kali on AWS

Kali Linux is available as an Amazon Machine Image (AMI) on AWS, allowing you to run a Kali instance in the cloud. To set it up:

1. Create an AWS account at https://aws.amazon.com/
2. In the EC2 dashboard, go to Network & Security > Key Pairs and create a new key pair, save the .pem file to your local machine.
3. Go to AWS Marketplace, search for "Kali Linux" and select the official Kali AMI.
4. Select the t2.micro instance type (eligible for the free tier) and launch the instance.
5. When prompted, select your existing key pair and complete launch.
6. Convert your .pem key to PuTTY's .ppk format using puttygen.exe, then connect via SSH to the public DNS of your instance with username ec2-user. After connecting, update Kali as outlined earlier.

---

Building a Penetration Testing Lab

A controlled lab environment lets you practice penetration testing skills without violating any laws or causing damage to production systems. This section covers setting up a fully functional lab.

Requirements

• Minimum hardware: 6GB RAM, 2.4GHz quad-core CPU, 500GB hard disk
• VirtualBox: https://www.virtualbox.org/wiki/Downloads
• Metasploitable 2: https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
• Packer: https://www.packer.io/downloads.html
• Vagrant: https://www.vagrantup.com/downloads.html
• Pre-built Metasploitable 3: https://mega.nz/#!XQxEAABQ!frdh5DgZE-tSb_1ajPwLZrV4EZuj1lsS3WlWoLPvBjI
• BadStore vulnerable web server: https://d396qusza40orc.cloudfront.net/softwaresec/virtual_machine/BadStore_212.iso

Physical vs Virtual Lab

The choice between physical and virtual hardware depends on your budget and available resources. For most learners, a fully virtual lab on a single capable host is more than sufficient. Always allocate enough RAM to your VMs to avoid performance issues; if you have enough physical RAM, allocating more than the minimum recommended to each VM will improve performance significantly.

Setting Up a Windows 10 Test VM

For testing Windows-targeted exploits, install a Windows 10 evaluation VM:

1. Download the Windows 10 Enterprise evaluation ISO from https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise
2. Create a new VM in VirtualBox, name it Windows 10 Test, select Windows 10 64-bit as the version.
3. Allocate at least 2GB of RAM (4GB+ recommended) and 64GB of dynamic storage.
4. Boot from the downloaded ISO, follow the installation steps to complete setup.
5. Take a snapshot of the clean installation so you can revert it after testing.

Installing Vulnerable Target VMs

We install intentionally vulnerable virtual machines as targets for practice. Never test these on public networks or systems you do not own.

Metasploitable 2

Metasploitable 2 is a popular intentionally vulnerable Linux VM created by Rapid7, ideal for beginners:

1. Download the zip file and extract it to get the VMDK file.
2. Create a new VM named Metasploitable2, select Linux Ubuntu 64-bit as the version.
3. Allocate 1024MB of RAM, select Use an existing virtual hard disk and select the extracted VMDK.
4. Change the network adapter to Host-Only Adapter to isolate it from external networks.
5. Start the VM and log in with username msfadmin and password msfadmin.

Metasploitable 3

Metasploitable 3 is an updated vulnerable image based on Windows Server 2008, with more modern vulnerabilities. It requires Packer and Vagrant to build from source:

1. Install VirtualBox, Packer, and Vagrant, add Packer to your system PATH.
2. Clone the source repository from https://github.com/rapid7/metasploitable3
3. Open PowerShell, navigate to the project folder, and run ./build_win2008 to start the build. If you run into issues building, you can download a pre-built OVA image from the link in the requirements section, and import it directly into VirtualBox. Allocate at least 1GB of RAM for best performance.

BadStore

BadStore is a small, easy-to-install vulnerable web application VM, perfect for beginners learning web exploitation:

1. Download the BadStore ISO from the link in the requirements.
2. Create a new VM named BadStore, allocate 640MB of RAM and 4GB of dynamic storage.
3. Change the network adapter to Bridged, boot from the ISO.
4. After boot, run ifconfig to get the VM's IP address, then navigate to http://<badstore-ip>/cgi-bin/badstore.cgi in a browser to access the vulnerable application.

Installing Additional Tools in Kali

Kali comes with most common penetration testing tools preinstalled, but you may need to add third-party tools occasionally. Always prefer installing tools from the official Kali repository when possible, to avoid dependency and stability issues.

Common package management commands: Search for a package:

apt-cache search <package_name>

Get detailed information about a package:

apt-cache show <package_name>

Install a package:

apt install <package_name>

For Debian packages (.deb) downloaded from outside the repository, use dpkg -i <package-file.deb> to install.

Common Network Services in Kali

Kali includes pre-installed network services that are commonly used during testing:

Apache Web Server

Apache is preinstalled and can be used to host malicious scripts or files during testing. To start Apache:

service apache2 start

To stop Apache:

service apache2 stop

To enable automatic start on boot:

update-rc.d apache2 defaults

MySQL Database

MySQL can be used to store penetration testing results and scan data. To start MySQL:

service mysql start

Verify it is running by connecting as root:

mysql -u root

To stop MySQL:

service mysql stop

To enable automatic start:

update-rc.d mysql defaults

SSH

SSH allows secure remote access to your Kali machine. To start the SSH server:

service ssh start

To stop the SSH server:

service ssh stop

To enable automatic start:

update-rc.d ssh defaults

Additional Practice Resources

There are many free resources available to practice your penetration testing skills:

• VulnHub: https://www.vulnhub.com/ offers dozens of free vulnerable VMs for practice and CTFs.
• OverTheWire Wargames: https://overthewire.org/wargames/ offers free challenges from beginner to advanced levels.
• Hack This Site: https://www.hackthissite.org/ offers free challenges for beginners and experienced testers alike.

---

Penetration Testing Methodologies

A consistent, structured methodology is critical for conducting a thorough, successful penetration test. It provides a clear roadmap for testing and ensures no steps are missed, while still allowing flexibility for testers to follow their intuition.

Types of Penetration Testing

Penetration tests are generally grouped into three categories based on the amount of information provided to the tester:

• White Box Testing: The tester has full access to internal system information, network diagrams, and credentials. This type of testing is commonly used to test new applications before they go into production, as part of the SDLC process.
• Black Box Testing: The tester is only given high-level information about the target, with no internal access. This simulates a real external attack, but can take more time and may miss some vulnerabilities if the scope is not clearly defined.
• Gray Box Testing: The tester is given limited internal information, and attacks from an external perspective. This is the most common type of penetration test.

Common industry-standard frameworks include the OWASP Testing Guide, PCI DSS Penetration Testing Guidance, Penetration Testing Execution Standard (PTES), NIST SP 800-115, and the OSSTMM.

General Penetration Testing Workflow

Most methodologies follow the same general set of phases:

1. Reconnaissance
2. Scanning and Enumeration
3. Gaining Access
4. Privilege Escalation
5. Maintaining Access
6. Covering Tracks
7. Reporting

Reconnaissance

Reconnaissance (also called footprinting) is the process of collecting as much open-source information about the target as possible. Common information collected during this phase includes employee names, contact details, email addresses, phone numbers, used technologies, infrastructure details, and job posting information. All of this information can be used to build attack vectors later in the test.

Scanning and Enumeration

After reconnaissance, scanning identifies live hosts and open ports on the target network, while enumeration collects detailed information about the services running on those ports.

Nmap is the most widely used port scanning tool. Common Nmap commands include: Service version detection:

nmap 192.168.1.15 -sV

OS detection:

nmap 192.168.1.15 -O

Ping scan for live hosts in a subnet:

nmap 192.168.1.0/24 -sP

Nmap categorizes ports into three states:

• Open: An application is actively listening on this port.
• Closed: No application is listening, but the port is reachable.
• Filtered: A firewall or network filter is blocking access to the port, so Nmap cannot determine its state.

Common enumeration techniques include DNS zone transfers, SMB share enumeration, and SNMP polling. For example, DNSRecon can be used to request a full DNS zone transfer:

dnsrecon -d example.com -a

Gaining Access

In this phase, you leverage discovered vulnerabilities to get an initial foothold on the target. Common attack vectors include phishing, exploiting unpatched services, and abusing weak credentials. Frameworks like Metasploit simplify this process by providing pre-built exploit payloads that can be run directly on target systems.

Common exploits for Windows targets include EternalBlue (MS17-010) targeting SMB on port 445, and MS08-67. Tools like Impacket provide Python implementations of common protocols that make it easy to get command execution on Windows targets via SMB:

psexec.py <username>:<password>@<target-ip> powershell

Privilege Escalation

Initial access to a target is almost always as a low-privilege user. Privilege escalation is the process of gaining higher-level access, up to administrator or root on the target system. In Active Directory environments, this often means gaining access to a Domain Admin account.

Maintaining Access

Maintaining access (persistence) ensures you can reconnect to the target even after reboots or logouts. This can be achieved via scheduled tasks, backdoor services, or planted access keys.

Covering Tracks

This phase involves cleaning up any changes made to the target, removing tools, and editing logs to remove evidence of your access. Always track all changes you make during a test to make cleanup easier.

Reporting

The final phase involves compiling all your findings into a clear report for the client. Tools like Dradis (preinstalled in Kali) help organize findings and import results from common scanning tools. Run Dradis with service dradis start, and access it via https://<kali-ip>:3004 in your browser.

---

Footprinting and Information Gathering

Information gathering is the first and most important phase of any penetration test. The more information you collect about your target during this phase, the easier it will be to find and exploit vulnerabilities later. Information gathering is split into two categories: active gathering (which sends traffic directly to the target) and passive gathering (which uses third-party public data to collect information without contacting the target directly).

Open Source Intelligence (OSINT)

Open Source Intelligence refers to information collected from publicly available sources that the target has published voluntarily as part of their normal operations. Many organizations accidentally leak sensitive information via public sources, so OSINT is often extremely valuable for penetration testers.

Common public resources for OSINT are listed below:

Resource URL	Purpose
https://archive.org	Archive of historical website versions
https://www.domaintools.com	Domain name intelligence
https://www.alexa.com	Website traffic and ranking data
https://serversniff.net	Free network analysis and routing tools
https://centralops.net	Free online network utilities including Whois, ping, and traceroute
https://www.robtex.com	Domain and network information search
https://pipl.com	Search for personal information by name and location
https://www.tineye.com	Reverse image search
https://www.sec.gov/edgar.shtml	Public company filing search for US publicly traded companies

Whois Lookup

After identifying a target domain, the first step is to query the Whois database for registration information. Kali includes a command-line Whois client by default:

whois example.com

Whois results include the domain's registration date, expiration date, name server information, and registrant contact details.

DNS Analysis

Common DNS record types include:

• SOA: Start of Authority, marks the start of a domain's authoritative record
• NS: Name server record
• A: IPv4 address record
• MX: Mail exchange record
• PTR: Reverse DNS pointer record
• AAAA: IPv6 address record
• CNAME: Canonical name, an alias for another domain

The host command can be used to resolve domain names to IP addresses, and query all DNS record types:

host -a example.com

The dig command is a more flexible alternative for DNS queries:

dig example.com

DMitry (Deepmagic Information Gathering Tool) is an all-in-one tool that can collect Whois information, subdomains, email addresses, and run basic port scanning:

dmitry -iwnse example.com

To run a basic port scan with service banner grabbing:

dmitry -p example.com -f -b

Maltego is a graphical OSINT tool that maps relationships between different entities such as domains, IP addresses, people, and email addresses. It comes preinstalled in Kali, and can pull information from dozens of public sources to build a complete map of your target's infrastructure.

Routing Information

Tools that map the network route between your machine and the target can help identify intermediate firewalls and network devices. tcptraceroute uses TCP SYN packets to get through firewalls that block traditional ICMP/UDP traceroute:

tcptraceroute www.example.com 80

tctrace is another tool that uses TCP three-way handshake to map routes through filtered networks.

Search Engine Based Intelligence

There are many tools that leverage search engines to collect sensitive information that targets accidentally leak online.

SimplyEmail is a tool that harvests email addresses from public sources including search engines, Pastebin, and social media. Install it with:

curl -s https://raw.githubusercontent.com/killswitch-GUI/SimplyEmail/master/setup/oneline-setup.sh | bash

Run a full email harvest with:

./SimplyEmail.py -all -e example.com

It automatically generates an HTML report with all collected email addresses, and can verify if emails are valid.

Google Hacking Database (GHDB) is a collection of advanced Google search queries that can reveal sensitive information, vulnerable servers, login pages, and exposed files that are not easily found via normal searching. Its maintained by Offensive Security at https://www.exploit-db.com/google-hacking-database/.

Metagoofil is a tool that searches for public documents on a target domain, downloads them, and extracts metadata including author usernames, software versions, and server names. Install it with:

apt install metagoofil

Run a scan with:

metagoofil -d example.com -l 20 -t doc,pdf -n 5 -f results.html -o output

The extracted usernames can be used later for password attacks.

Automated Information Gathering Tools

There are many fully automated tools that combine multiple OSINT techniques into a single interface. Two popular options are:

1. Devploit: A free open-source tool available at https://github.com/joker25000/Devploit, with 19 different information gathering modules. Clone it to your Kali machine, install it, and run it via the devploit command.
2. Red Hawk v2: An all-in-one information gathering toolkit available at https://github.com/Tuhinshubhra/RED_HAWK, which can run Whois lookup, banner grabbing, MX record lookup, and more from a single interface.

Shodan Search Engine

Shodan (https://www.shodan.io/) is a search engine for internet-connected devices. It scans the internet for open ports and services, and indexes devices including webcams, routers, servers, SCADA systems, and IoT devices. You can search for devices by port, operating system, location, and keyword. Always ensure you only access public devices you have permission to test, in accordance with local laws.

Target Geolocation

Tools like Blue-Thunder IP Locator can retrieve detailed geolocation information for target IP addresses and domains, including ISP, country, latitude, and longitude. Install it from https://github.com/th3sha10wbr04rs/Blue-Thunder-IP-Locator-, install the required Perl dependencies, and run it with:

perl blue_thunder.pl www.example.com